Wednesday, December 16, 2015

New European Privacy Plan Released!

Yesterday the European Parliament and Council announced they have (finally) agreed upon a new General Data Protection Regulation (the GDPR).  This is really big news for all U.S. companies that do business in Europe or with Europeans!

The GDPR has not yet been voted into law, but the agreed-upon language is probably quite close to the final law.  The International Association of Privacy Professionals (of which I'm a certified member) has published a great, concise list of the key provisions, which I commend to you:

• The law applies to any controller or processor of EU citizen data, regardless of where the controller or processer is headquartered.

• Notification of a data breach that creates significant risk for the data subjects involved must be made within 72 hours of the discovery of the breach.

• New powers are provided to data protection authorities, including the ability to fine organizations up to four percent of their annual revenue.

• Many organizations will now be required to appoint a data protection officer.

• Personal data may only be collected for “specified, explicit and legitimate purposes."  The text also introduces principles of “data minimization,” “accuracy,” “storage limitation” and “integrity and confidentiality.”

• The GDPR requires “accountability,” which means the “controller shall be responsible for and be able to demonstrate compliance” with the law.

• Processing of data will only be allowed with explicit consent, to perform a contract, to comply with a legal obligation, to protect the vital interests of the data subject, or to perform a task in the public interest.

• That consent has to be demonstrable upon demand, can be retracted by the data subject at any time.

• There will still be variation from member state to member state.

• Children under the age of 16 will need to get parental approval to give consent unless the member nation passes a law to lower the age no lower than 13.

• Special categories of personal data are established that include genetic, biometric, health, racial and political data, among others.

• Data controllers have to provide any information they hold about a data subject free of charge and within one month of request.

• A “right to erasure” is established, where controllers are required to delete personal data...even if the data has been made public already.

The next legislative step is for the EU Parliament’s Committee on Civil Liberties, Justice and Home Affairs ("LIBE Committee") to vote on the text tomorrow  (December 17) and if it passes, the full Parliament is expected to vote in January.

There is much more to come on this very significant development.  I will be sharing commentary on Twitter (@MattCordell and @PrivacyLawNC) and on LinkedIn as I come across it.


Tuesday, December 1, 2015

New N.C. Privacy Statute Becomes Effective


Several new North Carolina laws become effective today, December 1st, 2015. Among them are some privacy law enhancements including provisions that are known as the "revenge porn" statute. [Session Law 2015-250] Just over half of the states currently have such laws on the books, and about nine states' statutes create a civil remedy. The statutes are designed to address a troubling trend of people posting intimate images or video of another person, usually a former partner, on the internet to gain "revenge" by humiliating the person. Some states' courts recognize common law legal theories that can be used to combat this activity, but many states concluded that a specific statute was necessary and appropriate. As of today, North Carolina is among them.

The new statute makes it unlawful to "disclose a private image" if all five of the following facts and circumstances are present:

   (1) Intent. The person knowingly discloses an image of another person with the intent to coerce, harass, intimidate, demean, humiliate, or cause financial loss to the depicted person (or cause others to do so).

  (2) Identifiable. The depicted person must be identifiable from the disclosed image itself or information provided in connection with the image.

   (3) Private Parts or Conduct. The depicted person's intimate parts are exposed or the depicted person is engaged in sexual conduct in the image.

  (4) Lack of Consent. The person discloses the image without the affirmative consent of the depicted person.

  (5) Expectation of Privacy. The person discloses the image under circumstances such that the person knew or should have known that the depicted person had a reasonable expectation of privacy.

A violation of the statute is a felony and gives the person who is the subject of the image a right to sue the offending person. In a lawsuit, the subject of the image can recover his or her actual damages (which are assumed to be the higher of $1,000 per day for each day of the violation or $10,000); punitive damages (to punish the offender); and attorneys' fee and other litigation costs. A court can also order the destruction of the image(s). The lawsuit must be filed no later than one year after the discovery of the offense, and no later than seven years after the last known disclosure of the image.  

The criminal penalties may be subject to a Constitutional challenge in the future, because the First Amendment guarantees rights that the statute could be interpreted to limit. Similar statutes in several other states have been challenged on Constitutional grounds. It will be interesting to see how North Carolina's statute will fare when the inevitable challenge comes.

You can read more about the statute here.







Tuesday, October 6, 2015

The EU/US Safe Harbor Is No Longer Safe, Says The EU's Highest Court. Is Your Data A Liability?
Today, Europe's top court, the European Court of Justice, ruled that a 15-year-old pact between the United States and the European Union which allowed American organizations to handle the personal data of Europeans (the EU/US Safe Harbor) was invalid. The decision will have massive, far-reaching implications for American businesses and other organizations that are active in Europe.

The Backdrop

Trans-Atlantic data transfers involving the personal information of Europeans must comply with the Data Protection Directive, which is a European pact that has been adopted by each member state (i.e., most of Europe, but not Switzerland). The Directive requires that a transfer of personal data to a non-EU country may take place only if that country ensures an adequate level of data protection and privacy. The Directive also provides that the EU Data Protection Commission may determine that a non-EU country ensures an adequate level of protection as a result of that country's own domestic privacy laws or an international treaty.

The Facts

The challenge to the Safe Harbor arose in legal proceedings between an Austrian citizen, Mr. Maximilian Schrems, and the Irish Data Protection Commissioner concerning the Commissioner's refusal to investigate a complaint made by Schrems. Schrems has been a Facebook user since 2008, and some or all of the data provided by Schrems to Facebook was transferred from Facebook’s Irish subsidiary to servers located in the United States. Schrems lodged a complaint with the Irish Commissioner, alleging that, in the light of the revelations made in 2013 by Edward Snowden concerning the activities of the US intelligence services (specifically the NSA), the law and practice of the United States do not offer sufficient protection against surveillance.

The Issues

In response to Schrems' allegations, Facebook pointed out that it was fully compliant with the EU/US Safe Harbor and the US Department of Commerce's requirements for participation in the Safe Harbor. The Irish Commissioner refused to consider the complaint because the EU Data Protection Commission had long ago ruled (in 2000) that the EU/US Safe Harbor was a valid basis for the trans-Atlantic transfer of personal data of European citizens. (As a technical legal matter, the case was a challenge of the validity of Commission Decision 2000/520/EC (26 July 2000) pursuant to Directive 95/46 on the adequacy of the protection provided by the safe harbor privacy principles and related FAQ issued by the US Department of Commerce.)

The Court's Conclusions

The Court concluded that the decision by the EU Data Protection Commission that the EU/US Safe Harbor is valid did not preclude a member nation's Data Protection Commissioner (in this case Ireland) from reaching the opposite conclusion. The Court ruled that the Irish Commissioner should have heard the complaint and made an independent determination whether the EU/US Safe Harbor provides adequate protection of the personal information of EU citizens in light of the fact that the US government's surveillance programs might not respect the privacy of EU citizens as interpreted under EU law.

The Court went further to evaluate the 2000 decision of the EU Data Protection Commission. It determined that in the US, national security, public interest, orlaw enforcement interests prevail over the Safe Harbor scheme, so that US organizations are required by US law to disregard the protective rules laid down by the Safe Harbor when they conflict with US policy interests. The Court then concluded that US law, and the Safe Harbor, enable interference by United States national security and law enforcement authorities with the fundamental rights of Europeans. This interference is incompatible with the Directive, said the Court.

Having reached these conclusions, the Court held that the Irish Commissioner was required to evaluate Schrems’ complaint "with all due diligence" and following its "investigation," was obligated to "decide whether, pursuant to the Directive, transfer of the data of Facebook’s European subscribers to the United States should be suspended on the ground that that country does not afford an adequate level of protection of personal data." The Court essentially remanded the case to the Irish Commissioner with instructions to evaluate the issues, and with the subtext that the EU/US Safe Harbor is inadequate.

You can read the Court's decision here, and the Court's press release here.

No appeal is possible, because the European Court of Justice is the equivalent of the U.S. Supreme Court--the court of last resort. Simultaneously, European leaders and US officials are negotiating a new agreement on trans-Atlantic data transfers. Today's decision will no doubt create a new degree of urgency in those talks.

What Does It Mean to Your Organization?

In other words, the Safe Harbor is no longer SAFE at all!The likely outcome of this decision is that transfers of personal data made under the auspices of the Safe Harbor may violate European data protection laws. In other words the Safe Harbor is not really "safe" after all. Without the Safe Harbor, each country in the EU could reach different conclusions as to whether US privacy laws and practices satisfy the EU's Directive, which would require US companies to address each member nation's laws individually rather than satisfying a single set of EU requirements. This could create enormous obstacles to US organizations doing business in Europe.

As a result, organizations are well-advised to take a belt-and-suspenders approach (or "belt-and-braces" as they say across the Atlantic) by ensuring that data transfers are justified on another basis (in addition to compliance with the Safe Harbor). Those other bases include "binding corporate resolutions" (in which the organization essentially passes a binding corporate resolution and to comply with EU law with respect to EU personal data) and "model clauses" (which are contractual obligations to comply with EU privacy requirements). The binding corporate resolutions and model clauses have frequently been deemed more onerous for US organizations than the Safe Harbor's requirements, and have historically been less popular among US organizations.

- Matt Cordell

Friday, July 3, 2015

I'm a Certified Information Privacy Professional. (What Does That Mean?)

I recently became IAPP CIPP/US certified.  "What does that mean?" you ask?  Good question! 

What is the CIPP/US designation?

The International Association of Privacy Professionals (IAPP) is a nonprofit association of privacy professionals--the largest in the world. The IAPP issues the Certified Information Privacy Professional (CIPP) designations, which are the most recognized information privacy certifications globally. The CIPP/US credential demonstrates an understanding of privacy and security concepts, best practices, and international norms, with a specific emphasis on U.S. privacy and information security laws.   Applicants are tested to ensure they have the requisite knowledge in the following areas:

I. The U.S. Privacy Environment
A. Structure of U.S. Law
i. Constitutions
ii. Legislation
iii. Regulations and rules
iv. Case law
v. Common law
vi. Contract law
c. Legal definitions
d. Regulatory authorities
i. Federal Trade Commission (FTC)
ii. Federal Communications Commission (FCC)
iii. Department of Commerce (DoC)
iv. Department of Health and Human Services (HHS)
v. Banking regulators
vi. State attorneys general
vii. Self-regulatory programs and trust marks
e. Understanding laws
i. Scope and application
ii. Analyzing a law
iii. Determining jurisdiction
iv. Preemption
B. Enforcement of U.S. Privacy and Security Laws
a. Criminal versus civil liability
b. General theories of legal liability
i. Contract
ii. Tort
iii. Civil enforcement
c. Negligence
d. Unfair and deceptive trade practices (UDTP)
e. Federal enforcement actions
f. State enforcement (Attorneys General (AGs), etc.)
g. Cross-border enforcement issues (Global Privacy Enforcement Network (GPEN))
h. Self-regulatory enforcement (PCI, Trust Marks)
C. Information Management from a U.S. Perspective
a. Data classification
b. Privacy program development
c. Incident response programs
d. Training
e. Accountability
f. Data retention and disposal (FACTA)
g. Vendor management
i. Vendor incidents
h. International data transfers
i. U.S. Safe Harbor
ii. Binding Corporate Rules (BCRs)
i. Other key considerations for U.S.-based global multinational companies
j. Resolving multinational compliance conflicts
i. EU data protection versus e-discovery
II. Limits on Private-sector Collection and Use of Data
A. Cross-sector FTC Privacy Protection
a. The Federal Trade Commission Act
b. FTC Privacy Enforcement Actions
c. FTC Security Enforcement Actions
d. The Children’s Online Privacy Protection Act of 1998 (COPPA)
B. Medical
a. The Health Insurance Portability and Accountability Act of 1996 (HIPAA)
i. HIPAA privacy rule
ii. HIPAA security rule
b. Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009
C. Financial
a. The Fair Credit Reporting Act of 1970 (FCRA)
b. The Fair and Accurate Credit Transactions Act of 2003 (FACTA)
c. The Financial Services Modernization Act of 1999 ("Gramm-Leach-Bliley" or GLBA)
i. GLBA privacy rule
ii. GLBA safeguards rule
d. Red Flags Rule
e. Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010
f. Consumer Financial Protection Bureau
D. Education
a. Family Educational Rights and Privacy Act of 1974 (FERPA)
E. Telecommunications and Marketing
a. Telemarketing sales rule (TSR) and the Telephone Consumer Protection Act of 1991 (TCPA)
i. The Do-Not-Call registry (DNC)
b. Combating the Assault of Non-solicited Pornography and Marketing Act of 2003 (CAN-SPAM)
c. The Junk Fax Prevention Act of 2005 (JFPA)
d. The Wireless Domain Registry
e. Telecommunications Act of 1996 and Customer Proprietary Network Information
f. Video Privacy Protection Act of 1988 (VPPA)
g. Cable Communications Privacy Act of 1984
III. Government and Court Access to Private-sector Information
A. Law Enforcement and Privacy
a. Access to financial data
i. Right to Financial Privacy Act of 1978
ii. The Bank Secrecy Act
b. Access to communications
i. Wiretaps
ii. Electronic Communications Privacy Act (ECPA)
1. E-mails
2. Stored records
3. Pen registers
c. The Communications Assistance to Law Enforcement Act (CALEA)
B. National Security and Privacy
a. Foreign Intelligence Surveillance Act of 1978 (FISA)
i. Wiretaps
ii. E-mails and stored records
iii. National security letters
b. Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001 (USA-Patriot Act)
i. Other changes after USA-Patriot Act
C. Civil Litigation and Privacy
a. Compelled disclosure of media information
i. Privacy Protection Act of 1980
b. Electronic discovery
IV. Workplace Privacy
A. Introduction to Workplace Privacy
a. Workplace privacy concepts
i. Human resources management
b. U.S. agencies regulating workplace privacy issues
i. Federal Trade Commission (FTC)
ii. Department of Labor
iii. Equal Employment Opportunity Commission (EEOC)
iv. National Labor Relations Board (NLRB)
v. Occupational Safety and Health Act (OSHA)
vi. Securities and Exchange Commission (SEC)
c. U.S. Anti-discrimination laws
i. The Civil Rights Act of 1964
ii. Americans with Disabilities Act (ADA)
iii. Genetic Information Nondiscrimination Act (GINA)
B. Privacy before, during and after employment
a. Employee background screening
i. Requirements under FCRA
ii. Methods
1. Personality and psychological evaluations
2. Polygraph testing
3. Drug and alcohol testing
4. Social media
b. Employee monitoring
i. Technologies
1. Computer usage (including social media)
2. Location-based services (LBS)
3. Mobile computing
4. E-mail
5. Postal mail
6. Photography
7. Telephony
8. Video
ii. Requirements under the Electronic Communications Privacy Act of 1986 (ECPA)
iii. Unionized worker issues concerning monitoring in the U.S. workplace
c. Investigation of employee misconduct
i. Data handling in misconduct investigations
ii. Use of third parties in investigations
iii. Documenting performance problems
iv. Balancing rights of multiple individuals in a single situation
d. Termination of the employment relationship
i. Transition management
ii. Records retention
iii. References
V. State Privacy Laws
A. Federal vs. state authority
B. Marketing laws
C. Financial Data
a. Credit history
b. California SB-1
D. Data Security Laws
a. SSN
b. Data destruction
E. Data Breach Notification Laws
a. Elements of state data breach notification laws
b. Key differences among states

Why did you decide to get the CIPP/US certification? 

More and more people are claiming to be privacy experts these days, including a number of lawyers.  Although very few law firms advertised a privacy practice group as of just a few years ago, almost all
large law firms do now...with varying degrees of credibility.  Some lawyers are holding themselves out as privacy experts when their expertise is limited to a couple of privacy laws and a specific context.  They are nonetheless re-branding themselves as "privacy" lawyers.  While there certainly are more lawyers who are competent in a range of privacy and information security issues than ever before, they remain few and far between.  The CIPP/US certification is perhaps the best way to clearly and immediately demonstrate an understanding of the core concepts and legal issues of privacy and information security. 

Does the CIPP/US designation guarantee expertise?

The CIPP/US designation does not guarantee expertise in any particular area of privacy law. The certification tests (there are currently two) do not require the depth of understanding that a true expert must have. For example, the study guides and tests cover financial privacy issues at a level of depth just beyond the surface. There is much more to know about financial privacy law and practice. However, the CIPP/US designation does provide assurance that the certificate holder is at least aware of the salient issues and knows where to find answers or guidance, and those two items are very important. Furthermore, certification requires ongoing learning. Mainting IAPP CIPP certification requires the holder to fulfill 20 hours of continuing privacy education (CPE) per two-year period, to ensure the holder's knowlege remains up to date.
The CIPP/US certification is no guarantee of true legal expertise, but it does provide an independent confirmation of basic competence across a broad spectrum of privacy and information security law. It also tells you that the holder is continuing to build upon his or her knowledge in these areas.

* The N.C. State Bar, the regulatory body that supervises and disciplines lawyers licensed in North Carolina, prohibits a lawyer from using the term "specialized" to describe anything other than a N.C. Bar-issued certificate of specalization in one of a very limited number of fields of law. There is no specalization certificate available from the N.C. State Bar for privacy, information security, or any related field of law. 

Sunday, March 1, 2015

Information Security Breaches, Unauthorized Transactions, and Account Takeovers...or "What You Missed"

On Friday, I had the honor to join some distinguished speakers for an all-day continuing legal education seminar on computer technology and the law.  My fellow presenters were:
  • Clark Walton, former CIA forensic computer analyst, lawyer with Alexander Ricks, and founder of computer forensic firm Reliance Forensics (and formerly Chair of the NCBA Young Lawyers Division and the American Bar Association's Young Lawyer of the Year).
  • Ashden Fein, lead prosecutor of Private Bradley Manning in the WikiLeaks trial and now lawyer with Covington & Burling in Washington, D.C.
  • Chris Swecker, former Assistant Director of the FBI, lawyer, and security consultant.
  • Kim Korando, employment lawyer with Smith Anderson.
  • Joyce Brafford, law practice technology guru with the NCBA's Center for Practice Management.
It was a fascinating day, and I enjoyed hearing from these great speakers more than I enjoyed speaking myself. 

In the course of my presentation, we discussed the various legal response requirements following a data security breach, as well as liability for unauthorized transfers in consumer and commercial accounts. 

The program was well-attended in person and by webinar, but if you missed the opportunity to attend, I am providing a link to my slideshow here.  I hope you find it useful.

Friday, January 16, 2015

What Would the President's Security Breach Notification Proposal Mean for North Carolina?

Earlier this week, the President announced a new cybersecurity initiative.  The White House explained that:
"[t]here is a growing perception that individuals have lost control of their personal information; a negative implication of such a view is it may serve as an inhibitor of the use of technology, stymie innovation, and contribute to a less productive economy." 
Of course, the President has no legal authority to implement most of his proposals.  The Constitution gives Congress the sole power to introduce and pass legislation.  The President's role is simply to sign or veto a bill once Congress approves.  However, the President's bully pulpit gives him the practical ability to influence Congress' agenda.  The primary purpose of the  President's current cybersecurity push is to pressure Congress to enact comprehensive cybersecurity legislation.
As of now, the White House has not disclosed all of the text of the proposed bill--only bits and pieces.  What we have been told is that the proposal has multiple components.  One component that has been described in detail is the breach notification requirement (styled as "The Personal Data Notification & Protection Act"), the full text of which you can read here

North Carolina and 45 other states already have a data breach notification law.  This might suggest that there is no need for a nationwide breach notification rule.  Are state breach notification rules inadequate?  Is there a compelling need for nationwide uniformity?  These are important policy questions.  In order to evaluate them, it might be helpful to understand how the White House proposal differs from state laws--particularly the data breach notification requirement found in the North Carolina Identity Theft Protection Act.  This blog post will compare the White House proposal to North Carolina's existing breach notification requirement.

Entities Covered.  The North Carolina breach notice statute applies to any business in North Carolina or that "owns or licenses" information about North Carolina residents.  Under the White House proposal, only businesses that hold sensitive personally identifiable information about more than 10,000 individuals would be covered.

The Reporting Requirement of a Security Breach.  The White House proposal would require business entities to give notice of a "security breach" involving "sensitive personally identifiable information."

The term "security breach" in the White House proposal would mean a "compromise of the security, confidentiality, or integrity of, or the loss of, computerized data that results in, or there is a reasonable basis to conclude has resulted in...unauthorized acquisition... or access...."

The term is defined slightly differently under North Carolina law.  Under our Identity Theft Protection Act, a security breach is "[a]n incident of unauthorized access to and acquisition of unencrypted and unredacted records or data containing personal information where illegal use of the personal information has occurred or is reasonably likely to occur or that creates a material risk of harm to a consumer."

Here's one difference: It would be harder to avoid reporting "low risk" incidents under the White House proposal. There are all sorts of scenarious that might result in unauthorized access, some of which can be relatively innocuous, and probably do not warrant reporting. You can imagine such situations easily. The White House proposal would make it harder to avoid reporting in these situations. Under the North Carolina law, a breach occurs when "illegal" use "has occurred or is reasonably likely to occur" or there is "a material risk of harm to a consumer." Under the White House proposal, there is a breach, and therefore a reporting requirement (at least to the FTC), if there is an "unauthorized acquisition" or " excess of authorization." Under the White House proposal, even if the incident presents a low degree of risk, it must be disclosed to the FTC.

Here's another difference: Under the North Carolina statute, if a hard drive is stolen, but it's encrypted, there is no breach.  Under the NC statute, that ends the analysis, and there is no reporting requirement. Under the White House proposal, there is a breach, even if the information was encrypted, and the custodian of the information would then have to undertake a risk assessment to determine if there is a "reasonable risk that a security breach has resulted in, or will result in, harm to the individuals."  Encryption might support a presumption that there is no reasonable risk of harm.  However, under the White House proposal, the business would be required to self-report to the Federal Trade Commission within 30 days:
    (i) that it had experienced a breach and conducted a risk assessment,
    (ii) the results of the risk assessment,
    (iii) that it had concluded that there was no reasonable risk to individuals; and
    (iv) logging data (i.e., records of access and changes to a database) for the six months prior and database users' and administrators' log-in information.

Definition of Personal Information.  The term "sensitive personally identifiable information" is defined in the White House proposal similarly to the term "personal information" in the North Carolina statute, except that the White House proposal is slightly more broad and would also allow the Federal Trade Commission to create other categories of "sensitive personally identifiable information" by rule.  In this way, the White House proposal might be more easily adjusted to changes in technology.

Timing of Notice.  The days immediately following discovery of a security breach are difficult for a business, as well as being important to law enforcement.  The first priority is almost always to identify and eliminate vulnerabilities.  Businesses are reluctant to make public statements before they have obtained and analyzed the facts. Each of these steps may require outside help from forensic computer experts and security experts. It takes time. One of the ways in which the White House proposal differs from the North Carolina statute is the timing of reporting obligations.  Under the both the North Carolina statute and the White House proposal, the breached business must notify affected customers "without unreasonable delay."  However, under the White House proposal, that means no later than 30 days unless the FTC grants an extension. 

Public Notice.  In addition to notifying affected individuals, state statutes often require a public announcement, of some sort, of the breach.  Under the North Carolina statute, the business must notify statewide media of the breach (and place a notice on its website) only if it chooses not to contact affected individuals directly because the cost of providing notice would exceed $250,000 or the number of affected individuals exceeds 500,000.  Under the White House proposal, if more than 5,000 residents of any particular state are affected, the breached business must notify statewide "major media outlets" of the breach. 

Under the White House proposal, if more than 5,000 individuals are affected by a breach, the business must notify the credit reporting agencies.  Under the North Carolina statute, the threshold for making such a report is 1,000. 

Allocation of Responsibility to Provide Notice.  Under the North Carolina statute, the reporting obligation falls on the business that "owns or licenses" the personal information. A third party custodian who does not own or license the information must merely notify the owner or licensee of the information (not the affected individuals) in the event of a breach. The North Carolina statute does not address whether the owner/licensor can agree with the custodian that, in the event of a breach, the custodian would be responsible to provide notice to customers.

The White House proposal expressly allows owners/licensees and custodians to enter into a contract that allocates the responsibility to notify affected individuals of a breach; however, the notice must include reference to the party who has a direct business relationship with the affected individuals (i.e., the owner/licensee).

Summary.  As you can see, the White House proposal differs from existing North Carolina law in a number of ways.  From the perspective of a business that has consumer data, the White House proposal generally seems more burdensome; however, for businesses operating in multiple states, the additional obligations of the White House proposal might be outweighed by the benefits of having a uniform law across jurisdictions.  (Responding to a multi-state breach is very challenging because of the variation in state breach response laws.) 

Whether Congress will take up the proposal in earnest, and whether legislation resembling the White House proposal will pass both houses, is anyone's guess, but one thing is clear at this point--the President has initiated a public dialogue on these issues. 

Sunday, January 11, 2015

What To Do When Your Identity Has Been Stolen: A 10-Step Guide

On several occasions, I've been asked to help individuals whose identities have been stolen.  However, most of the time, it's not cost-effective for a lawyer to handle the majority of the initial steps in responding to the theft of an individual's identity.  Instead, the affected person is usually best advised to handle most of the first steps themselves.*

As a public service, I'm providing the following step-by-step guide for individuals who suspect that credit has been obtained in their name without their consent.  (There are other kinds of identity theft, but credit theft is most common.)  Although the Federal Trade Commission has an a good guide for victims of identity theft, it (i) requires you to read several different webpages instead of just one, and (ii) does not explain the state-law-specific aspects of recovering from identity theft.  This is intended to be a simplified guide for North Carolina residents.

1.  Put a Fraud Alert on Your Credit Report.  Call any one of the three major credit reporting agencies and instruct them to place a fraud alert on your credit report.  (Tell the agency you contact to tell the other two to do the same...although there's no harm in calling all three yourself). You'll be required to prove your identity when placing a fraud alert.  There will be no cost.  The purpose of a fraud alert is to make it harder for an identity thief to open more accounts in your name. An initial fraud alert lasts 90 days, but can be renewed.  

You can contact the credit reporting agencies at the following:
  • Equifax - 1-800-525-6285,, P.O. Box 740241, Atlanta, GA 30374-0241;
  • Experian - 1-888-397-3742,, P.O. Box 2104, Allen, TX 75013-0949;
  • TransUnion - 1-800-680-7289,, P.O. Box 1000, Chester, PA 19022. 

2.  Order Your Free Credit Reports.  When placing a fraud report, you are entitled to a free credit report from each of the three major credit reporting agencies.  The agency that you call (as instructed in #1 above) will explain your rights and how you can get a free copy of your credit report.  You could also use this form.

3.  Submit an Affidavit to the FTC.  Write out a description of how you learned about the suspected identity theft and everything you've learned about it since, in as much detail as you can.  Next, you need to put this information into the form of an affidavit (a sworn written statement).  The Federal Trade Commission has a helpful tool (called the "FTC Complaint Assistant") to put your information into the proper form, which you can use for free at  When finished, submit the affidavit to the FTC through the website.  Print or save a copy for your records. (Alternatively, you can use this form.)

4.  File a Police Report.  Call the local law enforcement agency (a) where the theft appears to have occurred, or (b) where you live, or (c) both.  In North Carolina, this is usually a police department if you live in a city or town, or a county sheriff's department if you live outside a municipality (though there are exceptions to this general rule).  File a police report.  (Either they will send an officer to you, or will ask you to come to the station.)  Give the officer a copy of your FTC Identity Theft Affidavit.  Also give the officer a copy of the FTC's official memo to local law enforcement agencies, a copy of which is available here.  Ask to  be given a copy of the police report once it's ready.
5.   File an FTC ID Theft Report. Together, your FTC Affidavit and the police report comprise an "FTC ID Theft Report." An FTC Report can help you (i) get fraudulent information removed from your credit report; (ii) stop a company from attempting to collect debts from you that result from identity theft, or from selling the debt to another company for collection, (iii) extend the fraud alert on your credit report; and (iv) get information from companies about any accounts the identity thief opened or misused. Send the ID Theft Report to the credit bureaus and to any organization affected by the ID theft (such as a retailer or credit card company).
Send an ID Theft Report to the credit reporting agencies, and tell them whether you want to extend the fraud alert or initiate a security freeze (see #6 below). In either case, you should notify all three of the credit reporting agencies.

6.  Decide Whether You Want to Extend the Fraud Alert or Institute a Credit Freeze.   Next, you need to decide whether to (a) extend the fraud alert or (b) initiate a security freeze. 

Once you have created an ID Theft Report (FTC affidavit plus police report), you are entitled under federal law to extend your fraud alert for seven years.  When you extend the fraud alert, you can get two free credit reports within 12 months from each of the three major credit reporting bureaus, and they must take your name off marketing lists for prescreened credit offers for five years, unless you ask them to put your name back on the list.

North Carolina residents are entitled by state law to "freeze" their credit reports. When a security freeze is in place, a consumer reporting agency may not release your credit report or information to a third party without your prior express authorization. If you want someone (such as a lender or employer) to be able to review your credit report (for a credit application or background check), you must ask the credit reporting agency to lift the security freeze. You can ask to lift the security freeze temporarily or permanently.  (The credit reporting agency is required by NC law to give you a unique PIN or password when you initiate the security freeze to be used by you when requesting a temporary or permanent lift of the freeze.)  If you request a lift to the freeze by mail, the agency has three business days to comply, but if you request electronically or by telephone, the agency must comply with the request within 15 minutes.  Putting a credit freeze on your credit file does not affect your credit score.

The cost to place and lift a freeze, and how long the freeze lasts, depends upon state law.  Here in North Carolina, a freeze lasts as long as you wish, and a consumer reporting agency cannot charge a fee to put a security freeze in place, remove a freeze, or lift a freeze if your request is made electronically. If you request a security freeze by telephone or by mail, a consumer reporting agency can charge up to $3.00 (unless you are 62 or older, or have submitted a police report--see #4 and #5 above). 
So, to summarize, a "security freeze" generally stops all access to your credit report unless you lift it, while an "extended fraud alert" permits creditors to get your report as long as they take steps to verify your identity.  My general preference is  the freeze, because it gives you the most control.
7.  Review Your Credit Reports and Dispute Errors.  Carefully review your credit reports for errors.  If errors on your credit report are the result of identity theft and you have submitted an Identity Theft Report, you are entitled to tell the credit reporting companies to block the disputed information from appearing on your credit report. Here is a sample letter that may be helpful.
The credit reporting agency will notify the relevant business of any disputed information, after which the business has 30 days to investigate and respond to the credit reporting agency. If the business finds an error, it must notify the credit reporting agency so your credit file can be corrected. If your credit file changes because of the business’ investigation, the credit reporting agency will send you a letter to notify you. The credit reporting agency cannot return the disputed information to your file unless the business says the information is correct. If the credit reporting company puts the information back in your file, it will send you a letter telling you that.
8.  Contact Any Businesses Involved. If you are aware of specific accounts that have been opened in your name without authorization, or existing accounts that have been accessed without your authorization, contact those organizations, even if you have already notified the credit reporting agencies of the problem. Ask to speak to someone in the fraud department. Ask them to reverse any unauthorized charges and to preserve all records for use by law enforcement. You might also want to ask them to simply close the accounts, and open new accounts for you. [Use different access credentials (such as a PIN or password) for the new accounts.] Ask for copies of any documents used by the identity thief. (Here's a sample letter.) Ask for a letter confirming that any fraudulent information has been removed or transactions reversed.  Also ask them to stop reporting information relating to the fraud to credit reporting agencies.  As soon as you conclude the conversation, memorialize your discussion in a certified letter to the organization.  Here is a sample.  
9.  Stop Debt Collectors from Contacting You about Fraudulent Debts.  If an identity thief opens accounts in your name and doesn’t pay the bills, a debt collector may contact you. To stop debt collectors from contacting you, in addition to the steps described above, you can send them a letter using this form.

10. Additional Tips: 
  • Remember to record the dates you made calls or sent letters.
  • Keep copies of all correspondence in your files.
  • A number of sample letters are available here.
I hope you find this guide helpful.  Please feel free to share it with your family, friends, and colleagues.  Although I hope you never need it, I encourage you to bookmark this post for quick reference, along with the FTC's ID Theft website and the NC DOJ's website, just in case.


* When the person whose identity has been stolen either (a) lacks the ability to respond themselves, whether due to a disability, age, or otherwise, or (b) is someone whose time is sufficiently valuable that it makes economic sense for them to hire someone else to remedy the situation, a lawyer/paralegal team may be well-position to handle these matters.  Otherwise, it makes sense for the affected person to handle most aspects of resolving a stolen identity, with limited guidance from a knowledgeable lawyer.

IMPORTANT: This blog post is for educational purposes only, and does NOT constitute legal advice.  You should consult with your own attorney about your specific situation.  This blog post does not create an attorney-client relationship, and it will not be updated to reflect changes in law or practices, so you should refer to other sources to ensure you receive the most accurate, up-to-date information.

Thursday, January 8, 2015

Why Are the Federal Trade Commission's Privacy and Information Security Expectations Unclear, and Has the FTC Gone Too Far?

One of the most frustrating things about privacy and information security law is the lack of certainty when it comes to acceptable uses and protocols. This piece is intended to explain some of the reasons for the uncertainty, and to highlight a pending case that might shed additional light.

Bills to create nationwide privacy and information security rules seem unable to gain traction in Congress. (Perhaps that will change with the new class of legislators having just been sworn into office.) At present, the United States has no comprehensive privacy statute nor is there a comprehensive set of privacy regulations. Instead, we have a "patchwork" of privacy regulation:
Most privacy laws in the United States are industry-specific and enforced by industry-specific agencies. For example, the federal banking agencies (the FDIC, OCC, FRB, and NCUA) govern financial institutions' handling of financial information, and the Department of Health and Human Services holds healthcare providers responsible for following the health information privacy rules.

At the federal level, the Federal Trade Commission is the agency with the broadest reach to address privacy and information security issues. The FTC has taken the role of filling the gaps left by the patchwork of regulations by pursuing enforcement actions against all sorts of companies for all sorts of privacy-related issues. But from where does the FTC's broad authority over privacy practices come, and how far does it reach? Certain specific federal statutes give the FTC authority over specific issues, like the privacy of children's information on the internet, and credit reports, but what about the FTC's authority over the broad spectrum of privacy-related issues?

The Federal Trade Commission Act prohibits "unfair and deceptive acts and practices in or affecting commerce.” The FTC relies upon this broad language to justify its sometimes aggressive enforcement actions against organizations that do not handle customer information in the way the FTC finds acceptable. For example, the FTC has pursued, and extracted large sums of money from, many website operators and social media platforms that it alleged had failed to carry out the promises those companies had made in their privacy policy statements, on the grounds that such shortcoming were "deceptive acts" (and more recently, also "unfair"). Privacy lawyers have observed that the FTC seems to take a very expansive view of its statutory authority in these contexts, but most companies that have found themselves in the crosshairs of the FTC have settled rather than challenge the FTC's authority (such as Facebook, Twitter and Google, as I've written about here).

Another significant problem with the FTC's broad and ambiguous authority is that the FTC has not been given the explicit authority to write and publish regulations governing privacy and data security generally. As a result, the FTC "regulates by enforcement," meaning the primary way in which we know what will draw the FTC's ire is by looking at the instances in which it has brought enforcement actions in the past and drawing inferences from the court filings and settlement agreements that become public. The obvious problem is that the rules of the game are not given to the players at the outset of the game, and are never made perfectly clear. Only by carefully observing the FTC's public actions and public statements can we begin to infer the kinds of activities that might trigger FTC action. Regulating privacy and information security in this way (after-the-fact punishment based on very broad principles) leaves a lot of room for uncertainty, and many organizations are craving clarity in these areas.

A case pending before the Third Circuit Court of Appeals may result in additional certainty: The FTC brought an enforcement action against Wyndham Hotels following information security lapses by the hotel chain, but Wyndham is fighting back, arguing that the FTC lacks the authority under the FTC Act to bring data security enforcement actions, as well as arguing that the FTC failed to give it fair notice of the security practices the FTC expects. Wyndham further challenges the FTC's claim that its practices were "unfair." (A practice is "unfair" under the FTC Act only if it "causes or is likely to cause substantial injury to consumers which is not reasonably avoidable by consumers themselves and not outweighed by countervailing benefits to consumers or to competition.”)

Because most FTC enforcement actions in this area result in settlement, this is the first time a federal appeals court will be asked to clarify the FTC's role in data security. You can bet privacy and information security lawyers and other InfoSec professionals will be watching this case closely!

In Good Company

It is an honor to see my name among the names of so many fine lawyers across the state in the 2015 "Legal Elite." This year I was listed in the "Business" category, as well as the "Young Guns" category. Business North Carolina magazine surveys more than 20,000 North Carolina lawyers by asking the following question: "Whom would you rate among the current best in these categories [of law]?" The results are compiled, and fewer than 3% of the lawyers in North Carolina are then named to the list.

My sincere thanks go out to all of the lawyers across North Carolina who participated in the peer review process conducted by Business North Carolina magazine. I certainly do appreciate your support. I know that many of you read this blog, and I have the privilege to work with many of you through the North Carolina Bar Association on important issues affecting our state and our profession. I truly appreciate your friendship and trust. I consider it a privilege to be able to recommend several of you for well-deserved recognition, and I am pleased to see some very deserving names on this year's list (although there are several others I wish had also been included). May this new year bring each of you the success and recognition you have earned.